The security issues have more to do with the DOM and other scriptable client resources. It's up to these interfaces to ensure that they do not expose unsafe operations. JavaScript simply allows applications to use the provided interfaces. In the scheme of things, Flash and Java plugins have been at least as problematic for web client security.